---
# Authentik User Management - Service-Specific User Setup

- name: Create authentik group
  group:
    name: "{{ authentik_group }}"
    system: true

- name: Create authentik user
  user:
    name: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    groups: "{{ [postgresql_client_group, valkey_client_group] }}"
    system: true
    shell: /bin/bash
    home: "{{ authentik_home }}"
    create_home: true
    comment: "Authentik authentication service"
    append: true

- name: Create authentik directories
  file:
    path: "{{ item }}"
    state: directory
    owner: "{{ authentik_user }}"
    group: "{{ authentik_group }}"
    mode: '0755'
  loop:
    - "{{ authentik_home }}"
    - "{{ authentik_home }}/data"
    - "{{ authentik_home }}/media"

- name: Get authentik user UID and GID for container configuration
  shell: |
    echo "uid=$(id -u {{ authentik_user }})"
    echo "gid=$(id -g {{ authentik_user }})"
  register: authentik_user_info
  changed_when: false

- name: Set authentik UID/GID facts for container templates
  set_fact:
    authentik_uid: "{{ authentik_user_info.stdout_lines[0] | regex_replace('uid=', '') }}"
    authentik_gid: "{{ authentik_user_info.stdout_lines[1] | regex_replace('gid=', '') }}"